← All frameworks
International INTERNATIONAL · Operational Technology · SA

NCA OTCC

NCA Operational Technology Cybersecurity Controls (OTCC-1:2022)

OTCC-1:2022

47 controls · 23 domains
Start assessment in platform →

About this framework

OTCC is Saudi Arabia's mandatory cybersecurity standard for operational technology, the control systems that run power, water, oil and gas, and industrial plants. Issued by the National Cybersecurity Authority, it extends the ECC controls across 23 subdomains for OT environments.

Who needs this

Mandatory for Saudi operators of operational technology in energy, utilities, oil and gas, and manufacturing.

Cross-framework coverage

Controls in NCA OTCC also cover:

NCA ECC-2 20 shared
NIST CSF 19 shared
CIS Controls 19 shared
Qatar NIA 19 shared
UAE IA 19 shared

See how NCA OTCC connects to the rest → the Security Universe

Control domains

1-1 · Cybersecurity Policies and Procedures 3
1-1-1
1-1-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-1-2
1-1-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-1-3
1-1-3
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-2 · Cybersecurity Roles and Responsibilities 1
1-2-1
1-2-1
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-3 · Cybersecurity Risk Management 1
1-3-1
1-3-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
1-4 · Cybersecurity in Industrial Control System Project Management 2
1-4-1
1-4-1
NCA ECC-2NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleQatar NIAUAE IASAMA CSFADHICS
1-4-2
1-4-2
NCA ECC-2NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleQatar NIAUAE IASAMA CSFADHICS
1-5 · Cybersecurity in Change Management 4
1-5-1
1-5-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSDORAHIPAA Security Rule
1-5-2
1-5-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSDORAHIPAA Security Rule
1-5-3
1-5-3
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSDORAHIPAA Security Rule
1-5-4
1-5-4
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSDORAHIPAA Security Rule
1-6 · Periodical Cybersecurity Review and Audit 2
1-6-1
1-6-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-6-2
1-6-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-7 · Cybersecurity in Human Resources 2
1-7-1
1-7-1
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2NCA CCC
1-7-2
1-7-2
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IASAMA CSFADHICSPCI DSS 4.0.1Cyber EssentialsCyber Essentials PlusNIS2NCA CCC
1-8 · Cybersecurity Awareness and Training Program 2
1-8-1
1-8-1
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
1-8-2
1-8-2
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
2-1 · Asset Management 2
2-1-1
2-1-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
2-1-2
2-1-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFADHICS
2-2 · Identity and Access Management 2
2-2-1
2-2-1
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-2-2
2-2-2
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-3 · System and Processing Facilities Protection 2
2-3-1
2-3-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IAADHICSNIS2GDPR (EU)UK GDPRSAMA CSF
2-3-2
2-3-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IAADHICSNIS2GDPR (EU)UK GDPRSAMA CSF
2-4 · Network Security Management 2
2-4-1
2-4-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IAADHICS
2-4-2
2-4-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNCA ECC-2Qatar NIAUAE IAADHICS
2-5 · Mobile Devices Security 2
2-5-1
2-5-1
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-5-2
2-5-2
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-6 · Data and Information Protection 2
2-6-1
2-6-1
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IAADHICSPCI DSS 4.0.1NIS2NCA CCCSAMA CSF
2-6-2
2-6-2
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2Qatar NIAUAE IAADHICSPCI DSS 4.0.1NIS2NCA CCCSAMA CSF
2-7 · Cryptography 2
2-7-1
2-7-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-7-2
2-7-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-8 · Backup and Recovery Management 2
2-8-1
2-8-1
NIST CSFCIS ControlsISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IAADHICS
2-8-2
2-8-2
NIST CSFCIS ControlsISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IAADHICS
2-9 · Vulnerabilities Management 2
2-9-1
2-9-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-9-2
2-9-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-10 · Penetration Testing 2
2-10-1
2-10-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-10-2
2-10-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-11 · Cybersecurity Event Logs and Monitoring Management 2
2-11-1
2-11-1
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001NIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-11-2
2-11-2
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001NIS2DORAHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-12 · Cybersecurity Incident and Threat Management 2
2-12-1
2-12-1
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-12-2
2-12-2
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-13 · Physical Security 2
2-13-1
2-13-1
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
2-13-2
2-13-2
NIST CSFCIS ControlsPCI DSS 4.0.1HIPAA Security RuleISO 27001NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
3-1 · Business Continuity Management (BCM) 2
3-1-1
3-1-1
NIST CSFCIS ControlsISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IAADHICS
3-1-2
3-1-2
NIST CSFCIS ControlsISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IAADHICS
4-1 · Third-Party Cybersecurity 2
4-1-1
4-1-1
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS
4-1-2
4-1-2
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRHIPAA Security RuleNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFADHICS

Ready to assess against NCA OTCC?

Start free trial →